On August 9th 2018, during the major Security conference Black Hat, security researchers from IBM and Threatcare announced major technical vulnerabilities in a variety of Smart City technology. The Smart City technology in focus ranged from Industrial IoT (things like smart meters or substation components for the electric grid) to transportation system controllers. Author Jason Murdock brought some of these vulnerabilities to life in his Newsweek article ‘Supervillain-Level’ Cyberattack Test on Cities Uncovers Shocking Flaws.
While it’s important to have an open conversation about the extent of the vulnerabilities of urban critical infrastructure, these security challenges are nothing new. In fact, there have been several reports by Thibodeaux, Cerrudo and others detailing these issues in previous years. One consideration that is often omitted from these reports is the considerable human attack surface for smart cities. These technical vulnerabilities are not exceedingly difficult to exploit by sophisticated hackers – but hackers generally like to take the path of least resistance. Urban critical infrastructure that is networked is accessible to large citizen populations via mobile applications. Citizens are not all security-savvy and social engineering attacks against them is likely an easy target. A hacker gaining access to a citizen’s account and then escalating privilege in the urban critical infrastructure is an attractive scenario for an adversary.
Defensive Social Engineering (DSE) tools discussed on our blog such as Cyber Negotiation should be employed to help defend against these future smart city attacks. Others have recently discussed the merit of “hacking back” to deal with such cyberattacks. Our stance on this is that hacking back will just escalate the situation. Instead, a better strategy is to leverage the DSE tool of posturing by publically announcing that you will hack back so that hackers take note and instead target a different organization’s assets.
While it’s interesting to hear about all of the technical vulnerabilities in the equipment, we need to remember that these vulnerabilities likely pale in comparison to the social attacks that will be waged against our urban critical infrastructure as they are increasingly digitized.